DM VPN Tunnel issue

Vinayaka Raman · ‎08-04-2011

ISSUE: eigrp neighborship is flapping between DM VPN Spoke (10.13.0.18) and Hub router (10.13.0.1). I need your inputs in troubleshooting this.

Please let me know if you need more details

The tunnel state is up and up .

Crypto isakmp state is QM_IDLE.

LOGS:

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.13.0.1 (Tunnel1) is down: Peer goodbye received
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.13.0.1 (Tunnel1) is up: new adjacency
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.13.0.1 (Tunnel1) is down: Peer goodbye received
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.13.0.1 (Tunnel1) is up: new adjacency
%ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1, addr 10.13.0.1 841471C0 - looped chain attempting to stack
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.13.0.1 (Tunnel1) is down: holding time expired

on 10.13.0.18, the tunnel config is

interface Tunnel1

ip address 10.13.0.18 255.255.0.0

no ip redirects

ip mtu 1400

ip nhrp authentication 111

ip nhrp map multicast dynamic

ip nhrp map 10.13.0.1 205.204.2.251

ip nhrp map multicast 205.204.2.251

ip nhrp network-id 101

ip nhrp nhs 10.13.0.1

ip nhrp cache non-authoritative

ip summary-address eigrp 1 100.174.220.0 255.255.254.0 5

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 111

tunnel protection ipsec profile ocbackupvpn shared

end

Regards Vinayak

plumbis · ‎08-11-2011

Sounds like you might have packet loss.

Goodbye received indicates the neighbor declared us down. What does the other side of the tunnel see?

Are you seeing Input Queue drops or high CPU? These could be symptoms of overutilization on the device.

Finally you haven't set the bandwidth on the tunnel interface here, meaning that EIGRP thinks it can only use 50% of 4kb for packets. I'm assuming your physical connectivity is greater than 8kbps. I would suggest increasing the "eigrp bandwidth-percent" command to something over 100% so that it is equal to 50% of your physical or increase the tunnel bandwidth to match the physical CIR.

Vinayaka Raman · ‎08-11-2011

Thanks for your reply. I did work with a CISCO TAC to resolve this issue. Please find the details :

Issue:

DMVPN spoke tunnel is up but eigrp is flapping continuously.

Error Message:

*Mar 7 13:47:17.766: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1, addr 10.13.0.1 8409AC00 - looped chain attempting to stack

Symptomps:

Loss of packets:

TIFFABWBR1#ping 99.55.132.174 source fa4 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 99.55.132.174, timeout is 2 seconds:

Packet sent with a source address of 99.55.132.169

....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!........!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!........

Success rate is 96 percent (812/840), round-trip min/avg/max = 1/1/20 ms

TIFFABWBR1#

Please note during the packet loss, the eigrp neighborship is up.

Troubleshooting steps:

Worked with AT&T to find out if this is an ISP issue. Replaced the cable between router and the modem. NO LUCK.

Worked with Cisco and identified there is a routing loop with the help of debug outputs (attached). Implemented an inbound distribute list (attached) on Tiffin backup router to filter out the duplicate routes and tunnel came up.

Cause:

The ip address for fa 4 interface of TIFFABWBR1 is 99.55.132.169.

We have a static route pointing on GRV hub router towards Tiffin.

GRVVPNCR2#show run | i 99.55.132.169

ip route 99.55.132.169 255.255.255.255 205.204.2.254

GRVVPNCR2#

This same route is being redistributed on HUB and advertised to spoke router which has caused this issue.

router eigrp 1

timers active-time 30

redistribute static metric 500 50 100 100 1500 route-map blockdefaultroute

network 10.13.0.0 0.0.255.255

network 100.0.0.0

distribute-list 1 out Tunnel2

distance eigrp 210 171

no auto-summary

Inference:

The cisco TAC recommends NO to redistribute the static routes on the GRV hub router unless we have a specific design consideration.

Regards Vinayak